Static Analysis On Windows

Static analysis on Windows mirrors similar tasks to Linux but uses Windows-specific tools to identify file properties, hashes, strings, and packing details. This guide covers essential commands and tools for Windows-based static malware analysis.

Key Static Analysis Components on Windows

File Type Identification: Use tools to verify executable types (e.g., PE files).
File Hashing: Generate unique file hashes (MD5, SHA256) for malware tracking.
Import Hashing (IMPHASH): A hash based on imported functions to identify similar samples.
Fuzzy Hashing (SSDEEP): Content similarity hashing for slight variations.
Section Hashing: Hashing individual PE sections to detect changes.
String Analysis: Extracts embedded text strings, often revealing useful insights.
Unpacking Packed Malware: Remove obfuscation to reveal underlying code.

File Type Identification

Use CFF Explorer (located at C:\Tools\Explorer Suite) to check the file type and confirm it as a Windows executable by looking for the ASCII string "MZ" in the file header.

Malware Fingerprinting

File Hashing with PowerShell

Generate MD5 or SHA256 hashes for identifying malware samples:

Get-FileHash -Algorithm MD5 C:\Samples\MalwareAnalysis\malware.exe
Get-FileHash -Algorithm SHA256 C:\Samples\MalwareAnalysis\malware.exe

Import Hash (IMPHASH) Calculation

IMPHASH provides a consistent hash for identical imports across similar samples. It can be calculated using pefile in Python:

import sys
import pefile

pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
print(pe.get_imphash())

Run the script:

python imphash_calc.py C:\Samples\MalwareAnalysis\malware.exe

Fuzzy Hashing (SSDEEP)

Use SSDEEP for similarity matching of malware variations:

C:\Tools\ssdeep-2.14.1\ssdeep.exe C:\Samples\MalwareAnalysis\malware.exe

Section Hashing with Python

Section hashing is useful for identifying modified sections in similar malware samples. Example code using pefile:

import sys
import pefile

pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
for section in pe.sections:
    print(section.Name, "MD5 hash:", section.get_hash_md5())
    print(section.Name, "SHA256 hash:", section.get_hash_sha256())

To use section hashing, tools like pestudio (located at C:\Tools\pestudio\pestudio) can also be helpful.

String Analysis

Extracting strings provides insights into the malware’s behavior, such as IPs, file paths, or API calls. Use Strings from Sysinternals:

C:\Sysinternals\strings.exe C:\Samples\MalwareAnalysis\malware.exe

Alternatively, use FLOSS for deobfuscating strings:

C:\FLOSS\floss.exe C:\Samples\MalwareAnalysis\malware.exe

Unpacking UPX-Packed Malware

UPX packing often conceals code. Identify packed files by looking for "UPX" in the strings output. Unpack with UPX:

C:\Tools\upx\upx-4.0.2-win64\upx.exe -d -o unpacked_malware.exe C:\Samples\MalwareAnalysis\packed\malware.exe

After unpacking, rerun strings to examine the revealed contents:

C:\Sysinternals\strings.exe unpacked_malware.exe

PreviousStatic Analysis On Linux NextDynamic Analysis

Last updated 2 months ago

hashtagKey Static Analysis Components on Windows

hashtagFile Type Identification

hashtagMalware Fingerprinting

hashtagFile Hashing with PowerShell

hashtagImport Hash (IMPHASH) Calculation

hashtagFuzzy Hashing (SSDEEP)

hashtagSection Hashing with Python

hashtagString Analysis

hashtagUnpacking UPX-Packed Malware